Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hello release team, I propose an update of Gummi in Jessie. The applied patch is a fix of security problem CVE 2015-7758 [1]. The security team marked this issue as minor/no-DSA [2], so I would upload it to stable as proposed update. Please see the attached debdiff for details of changes. I've build the package against stable [3]. Thank you, Daniel Stender [1] https://bugs.debian.org/756432 [2] https://security-tracker.debian.org/tracker/source-package/gummi [3] http://www.danielstender.com/buildlogs/gummi_0.6.5-3+deb8u1_amd64-20151129-1811.build -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru gummi-0.6.5/debian/changelog gummi-0.6.5/debian/changelog --- gummi-0.6.5/debian/changelog 2014-02-10 00:51:22.000000000 +0100 +++ gummi-0.6.5/debian/changelog 2015-11-29 18:07:36.000000000 +0100 @@ -1,3 +1,9 @@ +gummi (0.6.5-3+deb8u1) stable; urgency=medium + + * Added no-predictable-tmpfiles.patch, fix of CVE 2015-7758 (Closes: #756432). + + -- Daniel Stender <deb...@danielstender.com> Sun, 29 Nov 2015 18:07:12 +0100 + gummi (0.6.5-3) unstable; urgency=low * Fix "FTBFS: automake errors": diff -Nru gummi-0.6.5/debian/patches/no-predictable-tmpfiles.patch gummi-0.6.5/debian/patches/no-predictable-tmpfiles.patch --- gummi-0.6.5/debian/patches/no-predictable-tmpfiles.patch 1970-01-01 01:00:00.000000000 +0100 +++ gummi-0.6.5/debian/patches/no-predictable-tmpfiles.patch 2015-11-29 16:30:54.000000000 +0100 @@ -0,0 +1,39 @@ +Description: don't generate predictable tmpfile names if filename is given + Quick fix for CVE-2015-7758 (#756432). +Author: Daniel Stender <deb...@danielstender.com> +Bug: https://bugs.debian.org/756432 +Forwarded: https://github.com/alexandervdm/gummi/issues/20 +Last-Update: 2015-11-29 + +--- a/src/editor.c ++++ b/src/editor.c +@@ -204,10 +204,9 @@ + gchar* base = g_path_get_basename (filename); + gchar* dir = g_path_get_dirname (filename); + ec->filename = g_strdup (filename); +- ec->basename = g_strdup_printf ("%s%c.%s", dir, G_DIR_SEPARATOR, base); +- ec->workfile = g_strdup_printf ("%s.swp", ec->basename); +- ec->pdffile = g_strdup_printf ("%s%c.%s.pdf", C_TMPDIR, +- G_DIR_SEPARATOR, base); ++ ec->basename = g_strdup (ec->fdname); ++ ec->workfile = g_strdup (ec->fdname); ++ ec->pdffile = g_strdup_printf ("%s.pdf", ec->fdname); + g_free (base); + g_free (dir); + } else { +@@ -237,12 +236,9 @@ + if (ec->filename) { + gchar* dirname = g_path_get_dirname (ec->filename); + gchar* basename = g_path_get_basename (ec->filename); +- auxfile = g_strdup_printf ("%s%c.%s.aux", C_TMPDIR, +- G_DIR_SEPARATOR, basename); +- logfile = g_strdup_printf ("%s%c.%s.log", C_TMPDIR, +- G_DIR_SEPARATOR, basename); +- syncfile = g_strdup_printf ("%s%c.%s.synctex.gz", C_TMPDIR, +- G_DIR_SEPARATOR, basename); ++ auxfile = g_strdup_printf ("%s.aux", ec->fdname); ++ logfile = g_strdup_printf ("%s.log", ec->fdname); ++ syncfile = g_strdup_printf ("%s.synctex.gz", ec->fdname); + g_free (basename); + g_free (dirname); + } else { diff -Nru gummi-0.6.5/debian/patches/series gummi-0.6.5/debian/patches/series --- gummi-0.6.5/debian/patches/series 2014-02-10 00:48:38.000000000 +0100 +++ gummi-0.6.5/debian/patches/series 2015-11-29 16:31:22.000000000 +0100 @@ -1,3 +1,4 @@ gummi.desktop.patch automake-subdirs.patch libgthread-2.0_link.patch +no-predictable-tmpfiles.patch
